Received: (at submit) by bugs.x2go.org; 29 Jan 2015 12:10:57 +0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	ymir.das-netzwerkteam.de
X-Spam-Level: 
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,URIBL_BLOCKED
	autolearn=ham version=3.3.2
Received: from freya.das-netzwerkteam.de (freya.das-netzwerkteam.de [88.198.48.199])
	by ymir.das-netzwerkteam.de (Postfix) with ESMTPS id BBD193BC72
	for <submit@bugs.x2go.org>; Thu, 29 Jan 2015 13:10:55 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (grimnir.das-netzwerkteam.de [78.46.204.98])
	by freya.das-netzwerkteam.de (Postfix) with ESMTPS id 6D51A2FC
	for <submit@bugs.x2go.org>; Thu, 29 Jan 2015 13:10:55 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTP id 3EC7B3C095
	for <submit@bugs.x2go.org>; Thu, 29 Jan 2015 13:10:55 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at grimnir.das-netzwerkteam.de
Received: from grimnir.das-netzwerkteam.de ([127.0.0.1])
	by localhost (grimnir.das-netzwerkteam.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XhNWDTtlCQMv for <submit@bugs.x2go.org>;
	Thu, 29 Jan 2015 13:10:55 +0100 (CET)
Received: from grimnir.das-netzwerkteam.de (localhost [127.0.0.1])
	by grimnir.das-netzwerkteam.de (Postfix) with ESMTPS id DEC7D3C051
	for <submit@bugs.x2go.org>; Thu, 29 Jan 2015 13:10:54 +0100 (CET)
Received: from bifrost.das-netzwerkteam.de (bifrost.das-netzwerkteam.de
 [178.62.101.154]) by mail.das-netzwerkteam.de (Horde Framework) with HTTP;
 Thu, 29 Jan 2015 12:10:54 +0000
Date: Thu, 29 Jan 2015 12:10:54 +0000
Message-ID: <20150129121054.Horde.CM1lx2L_ybSEiqc7NkNzhw3@mail.das-netzwerkteam.de>
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
To: submit@bugs.x2go.org
Subject: DirectRDP: X2Go Client reveals user password in process list if
 xfreerdp is used
User-Agent: Internet Messaging Program (IMP) H5 (6.2.2)
Accept-Language: en,de
Organization: DAS-NETZWERKTEAM
X-Originating-IP: 178.62.101.154
X-Remote-Browser: Mozilla/5.0 (X11; Linux x86_64; rv:32.0) Gecko/20100101
 Firefox/32.0 Iceweasel/32.0
Content-Type: multipart/signed; boundary="=_t6l2H1my2ZI_HcAZEwv1kQ1";
 protocol="application/pgp-signature"; micalg=pgp-sha1
MIME-Version: 1.0

This message is in MIME format and has been PGP signed.

--=_t6l2H1my2ZI_HcAZEwv1kQ1
Content-Type: text/plain; charset=UTF-8; format=flowed; DelSp=Yes
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Package: x2goclient
Severity: grave

When a users uses X2Go Client for directly accessing an RDP Server,=20=20
then one can use the DirectRDP feature.

The DirectRDP features allows wrapping around the rdesktop command or=20=20
the xfreerdp command.

With both wrapper modes, the password is given to the RDP client=20=20
application on the command line.

With rdesktop, the command line ($@) gets rewritten for the process=20=20
list and the password is replaced by XXXXXXXX.

With xfreerdp, the command line stays as is and reveals the RDP user's=20=20
password on the process list of the machine that X2Go Client runs on.

The FreeRDP people have added a command line option --from-stdin to=20=20
xfreerdp 1.0.x for this purpose, that may be an option using in X2Go=20=20
Client. However, I am not sure, if this option survived in xfreerdp=20=20
1.1.x or later (it is not on the xfreerdp man page for=20=20
1.1.0~git<sometime-in-2014> as shipped with Debian jessie.

Mike



--=20

DAS-NETZWERKTEAM
mike gabriel, herweg 7, 24357 fleckeby
fon: +49 (1520) 1976 148

GnuPG Key ID 0x25771B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de

freeBusy:
https://mail.das-netzwerkteam.de/freebusy/m.gabriel%40das-netzwerkteam.de.x=
fb

--=_t6l2H1my2ZI_HcAZEwv1kQ1
Content-Type: application/pgp-signature
Content-Description: Digitale PGP-Signatur
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAABAgAGBQJUyiNOAAoJEJr0azAldxsxFxsQAJmfru7NVvZ9N70rYx69NjSP
9IazEIVAsG/fQTdR8LKU/p4p4f/XP2cFOoi11zc733EtgSHTOKkGpp2mWP+BEbeV
yCicbccMH54eaawSdbAXIqhZh/KfCLwc6RbLrWt33zxmX6yj7tKkhjNpmS36quGs
RLGnNndWEAUMGtV6CJy5vmQ8PCrEn8x057m47l7CwKsHSZg8qzETLKePv98Vao19
/6lLALbPVpL3wocR+yHo6nGXoj4qFogVMJb4rniAEM0td/155uCvMYBSZES4uaHD
2qOYBIpVkgX5Cft0xh0CAUT/o6uyyfQ8XO89vRv7YPW+BUc6xlOzBgvm5F0EWllI
JpExHf1nXnKvI7jJ1quEbWrCzaXN4nE/eEZNDas6iGqct/r6NcDpFJZHkpCap+Ct
CUcrMMM8ADibYUMGKmrjCWvwXTj2RVQEDDsDoPu+WKWC9xOJ+9aC26brIR1KkNM3
pMFxPmcJixRm0Uw5k0xaeBMZ7tGnUIio0dvdIm/EVzxgG9EKeRJ7xTy9IZZ/J9rv
NPw3w0Kys+kHneaflQ2V9zPD42c5gGzvoV84t+JPjzGAqrCylc/tDZe6/xE8O23f
C0dhOT6nS3D2xa3Ls7eLyTCC9wbTaAHyuF6FMqJGpsB3b4ZjhR5pcMju0DZhFSyj
em+p6UE5fEf2wb80aHJ0
=LNR4
-----END PGP SIGNATURE-----

--=_t6l2H1my2ZI_HcAZEwv1kQ1--